Your message dated Fri, 08 Mar 2024 07:04:38 +0000 with message-id <e1riuhw-00h0dh...@fasolo.debian.org> and subject line Bug#1037427: fixed in newlib 4.4.0.20231231-2 has caused the Debian Bug report #1037427, regarding newlib: reproducible builds: tarball embeds various metadata from build machine to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1037427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037427 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: newlib Version: 3.3.0-1.3 Severity: normal Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: username timestamps X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org The source tarball /usr/src/newlib/newlib-3.3.0.tar.xz embeds timestamps, file mode, username, userid, groupname and groupid of the build user: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/newlib.html The attached patch fixes this by passing arguments to tar in debian/rules to ensure consistent sort order, timestamps, user, group, uid and gid and file mode in the generated tarball. According to my local tests, with this patch applied newlib should become reproducible on tests.reproducible-builds.org once it migrates to trixie/testing! Unfortunately, other issues (build paths) tested on unstable and experimental are still unresolved. Thanks for maintaining newlib! live well, vagrantFrom 9bd70cde30f64de8f34902e73768b6224b7526ed Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian <vagr...@reproducible-builds.org> Date: Fri, 9 Jun 2023 20:12:09 -0700 Subject: debian/rules: Pass arguments to tar for consistent sort order, timestamps, user, group and mode. https://reproducible-builds.org/docs/archives/ --- debian/rules | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index c7e4891..c4895fb 100755 --- a/debian/rules +++ b/debian/rules @@ -67,7 +67,12 @@ CONFIGURE_FLAGS_NANO = \ dh $@ -B$(BUILD_DIR) --with autotools-dev --parallel debian/newlib-$(DEB_VERSION_UPSTREAM).tar.xz: - tar -acf $@ --exclude=debian --exclude-vcs --exclude='*.dh-orig' `pwd`/../`basename $(TOP_DIR)` + tar -acf $@ --exclude=debian --exclude-vcs --exclude='*.dh-orig' \ + --sort=name \ + --mtime="@$(SOURCE_DATE_EPOCH)" \ + --owner=0 --group=0 --numeric-owner \ + --mode=go=rX,u+rw,a-s \ + `pwd`/../`basename $(TOP_DIR)` override_dh_clean: dh_clean -- 2.39.2signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: newlib Source-Version: 4.4.0.20231231-2 Done: Petter Reinholdtsen <p...@debian.org> We believe that the bug you reported is fixed in the latest version of newlib, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1037...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Petter Reinholdtsen <p...@debian.org> (supplier of updated newlib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 08 Mar 2024 07:19:10 +0100 Source: newlib Architecture: source Version: 4.4.0.20231231-2 Distribution: unstable Urgency: medium Maintainer: Debian QA Group <packa...@qa.debian.org> Changed-By: Petter Reinholdtsen <p...@debian.org> Closes: 984446 1037427 1064733 Changes: newlib (4.4.0.20231231-2) unstable; urgency=medium . * QA upload. * Upload to unstable. . newlib (4.4.0.20231231-1) experimental; urgency=medium . * QA upload. * Orphan package with approval from the current maintainer. . [ Vagrant Cascadian ] * debian/rules: Pass arguments to tar for consistency (Closes: #1037427) . [ Petter Reinholdtsen ] * New upstream version 4.4.0.20231231 - Fixes CVE-2021-3420 (Closes: #984446). - Fixes build problem (Closes: #1064733). * Switched from debhelper compat level 9 to 10 to avoid deprication warning. * Updated to Standards-Version 4.6.2. * Added some metadata to d/patches/ files. Checksums-Sha1: 8b5b776b244a88a82c9be73fac58215f8d5460d9 2275 newlib_4.4.0.20231231-2.dsc 8fd26bb257e735a7016774eda722bcc130174272 13736 newlib_4.4.0.20231231-2.debian.tar.xz dc2af75684038e1368e3f8d109bdd0d7aa7497c9 6970 newlib_4.4.0.20231231-2_source.buildinfo Checksums-Sha256: b5afbf17238a92de3cd710f9766c499bc26c0be5fe903e8e707a91f71a6ef4b2 2275 newlib_4.4.0.20231231-2.dsc 7487340dd0f9a4cb17fed22b16adcf86235b3f81c22b8cf16634bc2cbec19986 13736 newlib_4.4.0.20231231-2.debian.tar.xz dcebb3e6fcdcc381088e3fbebc51cd39eb1201b01d01396a5718dfc277008a46 6970 newlib_4.4.0.20231231-2_source.buildinfo Files: fc3c9757559d09f241d4b90db61c8e94 2275 devel optional newlib_4.4.0.20231231-2.dsc 31d3d55a644f6d45030127722a385411 13736 devel optional newlib_4.4.0.20231231-2.debian.tar.xz 55dcc00dd1b02fd08a4c67220633b289 6970 devel optional newlib_4.4.0.20231231-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEERqLf4owIeylOb9kkgSgKoIe6+w4FAmXqsRsACgkQgSgKoIe6 +w4uiw//e/tARvKRc68N+V+UyaV9u93Krs1uNhbwG/ReBhicvzCNaxKAPZxtVYHJ FvVYAHV9zEX+gBsQS3srzP+mM+POuYVckd5zpUz11PbBVkm14tRdDTFmeB4fAUFt nYewUIy3gFq0etmoB9cgi/1qSYsF+nTTr/bPn6dMiLXZa24GL7VhFDnXOKXrhHzI iPu87dIz7zPGCpdCH1TZX9RB5OKbXG5jFGAiiknMcPijecXXPz/Lr2qu6wmyIJQX vuX7tpo+VJv1NLyPVE0lyM7xsI8jJS1ajPFztGfKua8eqOQOyfzFOXwp32SQ7czj Pebr21p2e0E/JsOYMq61Eg8A45wgbMiKQIJgDpYHFS7RH1gUln5BoF9tAVNPK87F 72jlbUai1c1cP1Sv10T8djPa/e+b6Ik+094h6gMKbSFdYTsAI++yc+uHWP0oby6r nWP2MkQvq6uF5B+/3lbiub7uvNAc0c+DkE9JsM93ZHSHG4Gu0MGBAVdeyEE4/O8Z l7REeEe7uB4LLW+d5ZdsLERyhUbShIjmtfqeQVYknxq4tGKqwVLOSXAnwELAzIB3 kTmOMqIkzEnZTGZiu9KnMZRhuzgAgCOCIiK082rlwI3V9ieFBMnSTq+egdnr/Ai5 q9eYyzeyhPRWWlGMRM2g8A5XXsKq7P2VKUTj6Hr0521WLyt6CDU= =WV/G -----END PGP SIGNATURE-----pgpQNGfZWeoXc.pgp
Description: PGP signature
--- End Message ---